Money Doesn't Stink - Cybercriminal Business Insight of A New Android Botnet

Conference:  BlackHat EU 2019



The presentation discusses the findings of a research project on an IoT botnet and the shady activities of the group behind it. The researchers aim to understand the motivations and perceptions of the group towards their work.
  • The group behind the IoT botnet is involved in various shady activities, including selling and buying contacts and services.
  • The network is vast and complex, with different organizations and levels involved in developing and attacking the botnet.
  • The researchers found that the group is not motivated by the thrill of attacking, but rather by the need to make money.
  • The group is not perceived by all members as engaging in illegal activities, with some members simply perceiving their work as developing websites or providing services.
  • The researchers sent a report to authorities, but did not receive any response.
The researchers found that the group behind the IoT botnet is not motivated by the thrill of attacking, but rather by the need to make money. They observed that the group members were often struggling financially and would take on any job that paid, even if it involved shady activities. The researchers noted that the group members did not seem to have a lot of money, and would sometimes need to take out loans or struggle to pay for services. This suggests that the group is not made up of sophisticated cybercriminals, but rather individuals who are simply trying to make ends meet.


In mid 2018, we discovered one of the largest reported Android banking botnets known to date, that we named Geost. It was discovered when we saw one of their botmasters logging in into one of their C&C servers while using the insecure proxy network created by the HtBot malware. Computers infected with HtBot create an illegal network of proxies that are sold to customers, and our laboratory had one HtBot instance capturing the traffic. Geost resulted to be a new and very large Android Banking botnet operation targeting Russian citizens with almost 1 million victims, 15 C&C servers, thousands of domains, and thousands of malicious APK applications. This research starts with an analysis of all the OpSec failures that resulted in the discovery of Geost. Thought a treat intelligence process, we were able to know the Geost infrastructure, find domains and APKs related to it. Geost accesses all the SMS data of victims and has a direct connection to the systems of five large European banks. The operation of the botnet also includes traffic redirection and selling, data harvesting and access to premium SMS services. During the analysis, there was a breakthrough when we found a chat log of a cybercriminal entrepreneur group related to the Geost operation. This log exposed 28 people doing business for 8 months, discussing numerous projects and activities of the underground market and giving us a unique insight into how the business operation worked: the human relationships between the cybercriminals, daily routine tasks, motivational issues, money laundering, the decisions taken, and obstacles found. The criminal projects ranged from pay per install, phishing website hosting, and C&C development to malicious APKs and fake games development.This presentation shows the inner relationships of a blackmarket underground attacking group, their daily survival problems, decisions, money and struggles to make a living from malicious activities. How the hierarchy of malware development worked in the Geost botnet operation and the impact on the security of the victims. This work is unique because it shows the attackers communications in a private group and reveals a portion of how the underground cybercriminal business operates in relation with technical details of the malware. For them, operating a botnet was just one more job, and they showed no regrets or concerns about where the money is coming from, nor recognition that they were attacking others. At the end of the day, for them, the money didn't stink.